<p>Amazon OpenSearch Service is a managed service to host OpenSearch instances. It replaces Elasticsearch Service, which has been deprecated.</p>
<p>To harden domain (cluster) data in case of unauthorized access, OpenSearch provides data-at-rest encryption if the engine is OpenSearch (any
version), or Elasticsearch with a version of 5.1 or above. Enabling encryption at rest will help protect:</p>
<ul>
  <li> indices </li>
  <li> logs </li>
  <li> swap files </li>
  <li> data in the application directory </li>
  <li> automated snapshots </li>
</ul>
<p>Thus, adversaries cannot access the data if they gain physical access to the storage medium.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The database contains sensitive data that could cause harm when leaked. </li>
  <li> There are compliance requirements for the service to store data encrypted. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It is recommended to encrypt OpenSearch domains that contain sensitive information.</p>
<p>OpenSearch handles encryption and decryption transparently, so no further modifications to the application are necessary.</p>
<h2>Sensitive Code Example</h2>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html">aws-cdk-lib.aws_opensearchservice.Domain</a>:</p>
<pre>
import { aws_opensearchservice as opensearchservice } from 'aws-cdk-lib';

const exampleDomain = new opensearchservice.Domain(this, 'ExampleDomain', {
  version: EngineVersion.OPENSEARCH_1_3,
}); // Sensitive, encryption must be explicitly enabled
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomain.html">aws-cdk-lib.aws_opensearchservice.CfnDomain</a>:</p>
<pre>
import { aws_opensearchservice as opensearchservice } from 'aws-cdk-lib';

const exampleCfnDomain = new opensearchservice.CfnDomain(this, 'ExampleCfnDomain', {
  engineVersion: 'OpenSearch_1.3',
}); // Sensitive, encryption must be explicitly enabled
</pre>
<h2>Compliant Solution</h2>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.Domain.html">aws-cdk-lib.aws_opensearchservice.Domain</a>:</p>
<pre>
import { aws_opensearchservice as opensearchservice } from 'aws-cdk-lib';

const exampleDomain = new opensearchservice.Domain(this, 'ExampleDomain', {
  version: EngineVersion.OPENSEARCH_1_3,
  encryptionAtRest: {
    enabled: true,
  },
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomain.html">aws-cdk-lib.aws_opensearchservice.CfnDomain</a>:</p>
<pre>
import { aws_opensearchservice as opensearchservice } from 'aws-cdk-lib';

const exampleCfnDomain = new opensearchservice.CfnDomain(this, 'ExampleCfnDomain', {
  engineVersion: 'OpenSearch_1.3',
  encryptionAtRestOptions: {
    enabled: true,
  },
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html">AWS Documentation</a> - Encryption of
  data at rest for Amazon OpenSearch Service </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222588">Application Security and
  Development: V-222588</a> - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at
  rest. </li>
</ul>
